Re: MAC before DAC vs DAC before MAC

• Previous message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• In reply to: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: richard offer: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 26, 2001 at 06:20:29PM +0000, David Wagner wrote:
> It is rather difficult for me to imagine a reason why we should
> worry about optimizing for syscalls that are disallowed by policy,
> and that's putting it mildly.

I apologize for dragging performance into the discussion.

I still think that optimizing the results, even ones that ought to
return failure, is a reasonable enough thing to do. (I may be the only
one. :) However, Richard and I have both proposed legitimate policies
that would suffer from either orientation of module and kernel checks.
Given that, there is no need to discuss performance (as it relates to
the hook placement problem).

I'm sorry I brought it up. :)

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Greg KH: "Re: Patch: Socket hooks"
• Previous message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• In reply to: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: richard offer: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Crispin Cowan: "Re: MAC before DAC vs DAC before MAC"
• Next in thread: Casey Schaufler: "Re: MAC before DAC vs DAC before MAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 12:04:27 PDT